A multi-layered approach, including the end user, is required to keep up with sophisticated fraudsters.

Financial institutions have been battling cybercriminals for decades. A constantly evolving network of bad actors continues to identify and exploit vulnerabilities to perpetrate fraud. Traditional prevention approaches are a necessary first line of defense but are far from bullet-proof. And so criminal organizations continue to make millions.

The weakest link in this network continues to be the customer. Despite a relentless education campaign, banking customers remain either unwilling or unable to practice safe computing. And when losses occur, customers believe that regardless of their inability – or unwillingness – to implement secure online banking practices, the bank will reimburse their account for the entire loss. It often makes more sense for the bank to reimburse a small loss than dedicate the time and effort needed to deny the claim and potentially incur negative publicity. Meanwhile, assuaged by this false sense of security, consumers have little incentive to change their behavior.

In a recent case involving Choice Escrow Land Title LLC and BancorpSouth, the court sided with the bank regarding a $440,000 loss associated with the theft of the company’s online banking credentials and subsequent fraudulent wires. The ruling was based on the fact that Choice Escrow previously declined to use a process recommended by the bank, requiring two employees to approve wire transfers. However, in two separate, highly publicized cases involving Comerica and People’s United Bank, the courts ruled in favor of the customer in both cases.

There is no guarantee a court will rule in favor of the bank – regardless of the degree to which the customer failed to protect themselves.

Consumer Education Will Only Take You So Far

Financial institutions have long embraced customer education as an effective fraud prevention tool. Unfortunately, so long as consumers are indemnified from loss, these types of educational messages will likely fall upon deaf ears.

The FBI and the American Bankers Association (ABA) recommend designating a separate computer solely for online banking activities (i.e., no emailing or Internet browsing) to prevent online fraud. But limiting banking to one computer is neither convenient nor realistic for the vast majority of consumers. And this challenge only grows as customers increasingly leverage banking applications on their mobile devices.

When given the choice, customers will routinely opt for the “path of least resistance” when conducting business online. And this applies not just to banking, but to anyone who deals with customers, partners or employees online. The more complex the process, the less likely the customer will be to comply. Attempting to shift too much of the compliance burden to the end user will be met with resistance, and ultimately rejection. The last thing a company wants to do is make their online channel so unappealing to their customers that they leave in droves.

Unless customers are provided with a minimally invasive approach to secure their online activity, they will continue to engage in careless behavior that leaves them exposed to bad actors.

Achilles Heel of Online Fraud

To date, fraud prevention technology has overlooked the primary point of failure – the customer’s computer. Extending fraud prevention to the customer’s device through a secure browsing platform can dramatically reduce fraud-related losses. Such a browser creates a protected connection to the financial institution’s website. Since transactions can only take place via the personal browser and a secure proxy server, any malware that exists on the user’s computer is “blind” to the exchange of customer information.

Using this approach, the exchange of critical information in the transaction takes place at the server level, instead of at the user’s machine. A secure personal browser also thwarts more sophisticated tactics such as pharming, man-in-the-middle (MITM) and man-in-the-browser (MITB) attacks. The browser turns the user’s computer into a dedicated machine for online banking that isolates critical data from the cybercriminal’s prying electronic eyes. Such an approach is effective, yet does not place an excessive or unrealistic compliance burden on the customer.

Financial institutions have little choice but to be on the bleeding edge of security best practices. In addition to adopting traditional fraud prevention technologies, including the detection and prevention of suspicious log-ins, transaction anomaly detection and real-time monitoring of account activity, banks are now realizing they must take security to the last line – the consumer herself.

Any organization that houses sensitive financial data and wants to stay ahead of the latest cybercriminal methodologies should follow the lead of these organizations, to learn how they might apply these security best practices to their own customers and corporate security posture.

Did you enjoy this article? Click here to subscribe to Security Magazine.

Mr. Ingevaldson is chief technology officer for Easy Solutions, a security vendor focused on Total Fraud Protection® against electronic fraud across all devices, channels and clouds. He can be reached at dingevaldson@easysol.net.

Events

The tragedy of the United States domestic violence situation is impossible to quantify. There is both a sordid history and an on-going crisis; a crisis that has become normalized. Since 2000, approximately more than 20,000 women have been murdered by domestic partners, or "family terrorists".

After attending this webinar, you will be able to identify and recognize how social media has changed corporate security, explore the implications of social media and make changes to your security team to compensate, obtain actionable insight into how to use social media to your advantage, utilize Real-life examples of how social media can be used as a critical dataset for effective event response

Products

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

Private industries need to join the fight against terrorist ideologies, says Financial Integrity Network Chairman Juan Zarate. Read how in the July edition of Security magazine. This issue also includes guidance about CSO compensation and salary, banking security, emergency notifications and more.